Overview

overview

10

Static

static

10

cb7c19b49e...a6.exe

windows7-x64

10

cb7c19b49e...a6.exe

windows10-2004-x64

10

Resubmissions

25/01/2024, 01:57

240125-cdn9qadge6 10

24/01/2024, 15:56

240124-tdhwdadfb5 10

24/01/2024, 11:55

240124-n3eblahecn 10

Analysis

  • max time kernel
    448s
  • max time network
    450s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe

  • Size

    3.4MB

  • MD5

    f64a5c6fa180acaee93d4fac406c579b

  • SHA1

    bacf88f16fe670ef2d87df154929c51b28b12263

  • SHA256

    cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6

  • SHA512

    01687ae73126dd6540308efa140e56c5410d5971415881a3747cf961c4abcd2e9be4dcd75181f865070bfb4e296617b8e3d61f55de747407a4c459e6a2bc0197

  • SSDEEP

    24576:SvFnlgEsJu/SqXF3mh8uNFr95+CUNHEes4pyQquVexXCP7OigudxcAGZLqrDIjHM:QloJ0wtfSHO43ZpTLiADL

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\PLS_READ_ME.txt

Ransom Note
Oops, what happend? All of your files have been encrypted Your computer was infected with Frivinho Ransomware. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin or Robux. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Check this pastebin to get the my newest Bitcoin Adress: https://pastebin.com/raw/wZnisRDV And by cheking the pastebin, you can see more information about how you can pay.
URLs

https://pastebin.com/raw/wZnisRDV

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (198) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7c19b49efd25a4314129c9024c8e84ad9dd8acb45658ecf43c2d1fab775ca6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3808
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4260
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:364
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4808
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4832
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\PLS_READ_ME.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4132
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1084
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:800
  • C:\Windows\System32\vds.exe
    C:\Windows\System32\vds.exe
    1⤵
    • Checks SCSI registry key(s)
    PID:976
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.0MB

      MD5

      a582054723bf9c7b844a8ab8ae1454c8

      SHA1

      a4ca7c0c25c1799e8b3f0e1db26437ba28e15f72

      SHA256

      d4420fb90e992c52adc8b050c5f61932c3f26b076b6b3d4055301eeb8704e7c3

      SHA512

      bb7a9fbc66c8cc1119913a880fc989087c4605a510e5e4aee2452345cf4785c4d3a90c83659e4ded473da8c5190b0504f59664d004e59b1b61694052ef1ee3dc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      937KB

      MD5

      dff9cedb9bb9e9c85c83bc282c361491

      SHA1

      857b247439f996f0a4a41efc974b12890d143c8d

      SHA256

      78917a3a48183b6947653f0eb8154c79bfec095f1e65bc248a6d7f7cc81fd393

      SHA512

      ee7bcf7afd804298dbcbf430625b1e1119e54c2d63922d60099e8ec882a5f73325322674ee16c5402210477443ff9c69b88d2b939971f461a14127a2d0d0b92f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.0MB

      MD5

      20b6132e4a65d22fb223db761abcd60b

      SHA1

      2317a4b155e003dcc024a5f3ceb33f720a90debb

      SHA256

      237dd06f62a8c5c6eda3611aa5bcd70f2eb04c30b0581c05a5f36ec929e4724f

      SHA512

      5837f850956e2a376a915dd1bbda4d8ff31ff6852c850209657cf5a2e6ae6de9dfd4ece07a6028a3019684c893eca69a60a8837a168d2bee8bb5da281ed6aa7c

      Download Submit

    • C:\Users\Admin\Documents\PLS_READ_ME.txt
      Filesize

      1019B

      MD5

      bf4f42180e1f6f0dc0dc8e5863fbfdff

      SHA1

      11ebaf5dd9d926371b27c9cdb86a0b7978deb383

      SHA256

      c22510ba329236dacd2e14be4c260eca7a8deb7433cb4291311232f37ee40bd7

      SHA512

      6004b7d2e6a6b4035363d25cb7291dc0be0c0070a8bbadea0c4275278fb4299e3348cb5aebb5d9870ff7986bf43c59983bb3aa1680f1b27fcad8c68064c09c16

      Download Submit

    • memory/1676-15-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1676-464-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4176-0-0x0000000000B40000-0x0000000000EAA000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4176-1-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4176-14-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

      Filesize

      10.8MB

      Download